Risk management likelihood criteria
In this session what I want to talk about is likelihood criteria. Now I’ve seen the full gamut, from people using percentages, 90 to 99% is almost certain, almost certain is expected to occur in most circumstances.
I’ve seen organisations use instances per year and I’ve also seen instances per transactions, but what happens when you’ve got organisations, where part of the organisation one likelihood criteria is appropriate but for the other part of the organisation another criteria is appropriate.
And I’ll give you an example, I’ve recently been working with an organisation that does multiple millions of transactions per year and we talked about the number of fraud events that have been discovered and on any given year there might be sort of five to ten fraudulent events discovered.
Now, if you were to use an annual based or a time based likelihood criteria for that organisation, where anything greater than one instance per year was almost certain? Than it would be almost certain that event is going to occur in terms of fraud, but what about if we turn that around we say well hang on, they’ve done 5 million transactions in that particular period and there are only five instances of fraud.
Five in 5 million, a one in 1 million chance that you’re going to have that fraudulent activity. Would you say that is almost certain or is that rare? And that’s up to the organisation to decide that but what I’m advocating is that there is absolutely nothing wrong in having your likelihood criteria segregated.
So, that you have for operational, any numbers greater than once in a year, for transactional, anything greater than .1% or .2% is considered almost certain. So that way you can actually assess the likelihood of that particular event occurring in a way that is actually commensurate with the actual likelihood that it’s going to occur.
This is a really important part of it because if we were to take that example once again and we’ve got one in one million chance, but five per year it could be the difference between almost certain and rare in terms of our likelihood criteria or our likelihood assessment which means the level of the risk is going to be completely different based on the level of likelihood criteria we us.
Therefore, the effort that we put in in terms of managing that risk above the existing controls could mean that we’re spending more resources than we necessarily need to do.
So, one of the things that I believe organisations should be doing now is going in and determining what parts of their organisation can use things like numbers per year and other parts of the organisation that could be looking at transactional.
There is absolutely nothing wrong with maintaining those side by side in the same likelihood matrix that you use.
That’s all I have for this session, as always let’s be careful out there.